WO2024177382A1 - Système de commande d'accès au réseau et procédé associé - Google Patents

Système de commande d'accès au réseau et procédé associé Download PDF

Info

Publication number
WO2024177382A1
WO2024177382A1 PCT/KR2024/002268 KR2024002268W WO2024177382A1 WO 2024177382 A1 WO2024177382 A1 WO 2024177382A1 KR 2024002268 W KR2024002268 W KR 2024002268W WO 2024177382 A1 WO2024177382 A1 WO 2024177382A1
Authority
WO
WIPO (PCT)
Prior art keywords
information
node
data packet
gateway
authentication
Prior art date
Application number
PCT/KR2024/002268
Other languages
English (en)
Korean (ko)
Inventor
김영랑
Original Assignee
프라이빗테크놀로지 주식회사
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 프라이빗테크놀로지 주식회사 filed Critical 프라이빗테크놀로지 주식회사
Publication of WO2024177382A1 publication Critical patent/WO2024177382A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/66Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/28Restricting access to network management systems or functions, e.g. using authorisation function to access network configuration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/10Architectures or entities
    • H04L65/102Gateways
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols

Definitions

  • Embodiments disclosed in this document relate to a system for controlling network access and a method thereof.
  • a number of devices can communicate data over a network.
  • a terminal can transmit or receive data to or from a server over the Internet.
  • the network can include a public network such as the Internet, as well as a private network such as an intranet.
  • Controlling a node's network access using tunneling or authentication information embedded in data packets can prevent unauthorized or insecure nodes from accessing the destination network.
  • a gateway existing at the border of a destination network must use authentication information included in a tunnel or data packet, which is the minimum access control unit, to check whether the node is authorized, etc.
  • an access control application network access control application
  • an access control application network access control application
  • a node attempts to access a target service without an access control application installed, access to the destination network is blocked, and there is a problem in that the user of the node has no idea why access to the destination network is blocked.
  • the access control application cannot be installed (e.g., a node with an old operating system for which technical support required to install the access control application has ended, a low-power IoT with low absolute hardware specifications, a node with an operating system not supported by the access control application, etc.), there is a problem in that the node cannot access the destination network.
  • a gateway comprises a communication circuit, a memory, and a processor operatively connected to the communication circuit and the memory, wherein the processor is configured to receive a data packet for a service request from a node, determine whether a data flow corresponding to the data packet exists, and if it is determined that the data flow exists, forward the data packet to a destination network of the data packet, and if it is determined that the data flow does not exist, forward the data packet to an external server, and after forwarding the data packet to the external server, receive information about the data flow from the external server according to an authentication result for the node, wherein the processor is configured to receive a data packet for a service request from a node, determine whether a data flow corresponding to the data packet exists, and if it is determined that the data flow exists, forward the data packet to a destination network of the data packet, and if it is determined that the data flow does not exist, forward the data packet to an authentication server, and forward the data packet to the authentication server. After forwarding,
  • an external control server includes a communication circuit, a memory, and a processor operatively connected to the communication circuit and the memory, wherein the processor is configured to, when a data packet for a service request is obtained, transmit authentication support information to the node with reference to the data packet, obtain a network connection request including a source IP (internet protocol) from the node based on the authentication support information, determine whether the node is connectable to the destination network based on information included in the network connection request, and, if connection is confirmed to be possible, transmit information on a data flow to a gateway, wherein the processor is configured to, when a data packet for a service request is obtained, transmit authentication support information to the node with reference to the data packet, obtain a network connection request including a source IP from the node based on the authentication support information, determine whether the node is connectable to the destination network based on information included in the network connection request, and, if connection is confirmed to be possible, generate a data flow corresponding to identification information
  • the operating method of the gateway may include the steps of: receiving a data packet for a service request from a node, checking whether a data flow corresponding to the data packet exists, and if it is confirmed that the data flow exists, forwarding the data packet to a destination network of the data packet, and if it is confirmed that the data flow does not exist, forwarding the data packet to an external server, and then receiving information about the data flow from the external server according to an authentication result for the node; receiving a data packet for a service request from a node, checking whether a data flow corresponding to the data packet exists, and if it is confirmed that the data flow exists, forwarding the data packet to a destination network of the data packet, and if it is confirmed that the data flow does not exist, forwarding the data packet to an authentication server, and then, when information about the data flow is obtained from a control server, forwarding the data packet to the destination network.
  • a node can access a target service even if a connection control application is not installed on the node.
  • a node installing an access control application is granted first access rights
  • a node performing an authentication process is granted second access rights, thereby enabling the node to efficiently access a target service.
  • the security of the destination network can be improved by recovering a tunnel or data flow when a target application installed on a node is terminated or based on a security event received from a linking system.
  • Figure 1 illustrates an architecture within a network environment according to various embodiments.
  • FIG. 2 is a functional block diagram illustrating a database stored in a control server according to various embodiments.
  • FIG. 3 illustrates a functional block diagram of a gateway according to various embodiments.
  • FIGS. 4A and 4B illustrate operations for controlling transmission of data packets according to various embodiments.
  • Figure 5 is a diagram explaining the operation of a gateway when a node on which an access control application is not installed attempts to access a service server.
  • Figures 6 to 10 are drawings for explaining operations related to nodes on which an access control application is not installed.
  • FIG. 11 is a diagram illustrating data packets according to various embodiments related to authentication information required for creating a logical connection.
  • Figures 12 to 16 are drawings for explaining operations related to a node on which an access control application is installed.
  • Figure 17 is a diagram explaining the protocol inspection process.
  • Figure 18 is a diagram explaining the process by which a gateway processes a service request.
  • Figure 19 is a diagram for explaining the structure of service request information with a data flow header inserted.
  • a component e.g., a first component
  • another component e.g., a second component
  • the component can be connected to the other component directly (e.g., wired), wirelessly, or through a third component.
  • Each component (e.g., a module or a program) of the components described in this document may include a single or multiple entities. According to various embodiments, one or more of the components or operations of the components may be omitted, or one or more other components or operations may be added. Alternatively or additionally, a plurality of components (e.g., a module or a program) may be integrated into a single component. In such a case, the integrated component may perform one or more functions of each of the components of the plurality of components identically or similarly to those performed by the corresponding component of the plurality of components before the integration.
  • the operations performed by the module, program or other component may be executed sequentially, in parallel, repeatedly, or heuristically, or one or more of the operations may be executed in a different order, omitted, or one or more other operations may be added.
  • module or “...part” used in this document may include a unit implemented in hardware, software or firmware, and may be used interchangeably with terms such as logic, logic block, component, or circuit.
  • a module may be an integrally configured component or a minimum unit of the component or a portion thereof that performs one or more functions.
  • a module may be implemented in the form of an application-specific integrated circuit (ASIC).
  • ASIC application-specific integrated circuit
  • Various embodiments of the present document may be implemented as software (e.g., a program or an application) including one or more instructions stored in a storage medium (e.g., a memory) that can be read by a machine.
  • a storage medium e.g., a memory
  • a processor of the machine may call at least one instruction among the one or more instructions stored from the storage medium and execute it. This enables the machine to operate to perform at least one function according to the at least one instruction called.
  • the one or more instructions may include code generated by a compiler or code that can be executed by an interpreter.
  • the machine-readable storage medium may be provided in the form of a non-transitory storage medium.
  • 'non-transitory' only means that the storage medium is a tangible device and does not include a signal (e.g., an electromagnetic wave), and this term does not distinguish between cases where data is stored semi-permanently and cases where it is stored temporarily in the storage medium.
  • a signal e.g., an electromagnetic wave
  • the method according to various embodiments disclosed in this document may be provided as included in a computer program product.
  • the computer program product may be traded between a seller and a buyer as a commodity.
  • the computer program product may be distributed in the form of a machine-readable storage medium (e.g., a compact disc read only memory (CD-ROM)), or may be distributed online (e.g., downloaded or uploaded) through an application store or directly between two user devices (e.g., smartphones).
  • a part of the computer program product may be temporarily stored or temporarily generated in a machine-readable storage medium, such as a memory of a manufacturer's server, a server of an application store, or an intermediary server.
  • Figure 1 illustrates an architecture within a network environment according to various embodiments.
  • nodes (103_1, 103_2) may be various types of devices capable of performing data communication.
  • nodes (103_1, 103_2) may include portable devices such as smartphones or tablets, computer devices such as desktops or laptops, multimedia devices, medical devices, cameras, wearable devices, virtual reality (VR) devices, or home appliance devices, but are not limited to the aforementioned devices.
  • Nodes (103_1, 103_2) may also be referred to as 'electronic devices' or 'terminals'.
  • the gateway (101) can be connected to nodes (103_1, 103_2).
  • the gateway (101) can support nodes (103_1, 103_2) to connect to service servers (105_1, 105_2) by providing nodes (103_1, 103_2) with a structure that allows communication only when a data flow authorized by a control server (102) exists.
  • the gateway (101) can provide nodes (103_1, 103_2) with a structure that allows communication only when a data flow does not exist.
  • the gateway (101) may receive a data packet for connection to a destination network from a node, determine whether a data flow corresponding to the data packet exists, and if it is determined that the data flow exists, forward the data packet to the destination network to support processing of the node's service request. If it is determined that the data flow does not exist, the gateway may forward the data packet to an external server (e.g., an authentication server (104)) to support authentication of the node. In addition, information on the data flow may be received from the external server according to the authentication result of the node.
  • an external server e.g., an authentication server (104)
  • the gateway (101) if it is determined that no data flow exists, checks whether the data packet is a data packet of an authenticable protocol, and if it is determined that the data packet is a data packet of an authenticable protocol, performs a network address translation (NAT) process that converts the destination IP and destination port of the data packet to an external server IP and external server port corresponding to an external server (e.g., an authentication server (104)), thereby forwarding the data packet.
  • NAT network address translation
  • the gateway (101) when an access control application is installed, receives a tunnel creation request for creating a tunnel from a node (103_1), creates a tunnel with the node (103_1) based on the tunnel creation request, and then communicates with the node through the tunnel.
  • the service server (105_1, 105_2) may be various types of devices capable of performing data communication.
  • the service server (105_1, 105_2) may include a portable device such as a smart phone or a tablet, a computer device such as a desktop or a laptop, a multimedia device, a medical device, a camera, a wearable device, a virtual reality (VR) device, or a home appliance device, but is not limited to the aforementioned devices.
  • the service server (105_1, 105_2) may also be referred to as an 'electronic device' or a 'terminal'.
  • Nodes (103_1, 103_2) can transmit data packets to service servers (105_1, 105_2) or receive data packets from service servers (105_1, 105_2).
  • Some of the target applications included in nodes (103_1, 103_2) may be trusted and/or secure applications, such as web browsers or business applications, while others may be untrusted or insecure malicious programs. Therefore, the network access control system according to embodiments may block access of unauthorized programs (applications) to service servers (105_1, 105_2) and isolate (e.g., blacklist) such programs.
  • the control server (102) can ensure reliable data transmission within a network environment by managing data transmission between the gateway (101) and the service servers (105_1, 105_2). For example, the control server (102) can allow network access of an authorized access control application through policy information or blacklist information. The control server (102) can provide authentication information that can perform authentication between the gateway (101) and the service servers (105_1, 105_2). Accordingly, the access control application can prevent an unauthorized node from transmitting data packets to an unauthorized destination.
  • the network access of a node may be blocked by a connection control application, a control server (102), or a gateway (101).
  • the control server (102) may transmit and receive control data packets with the gateway (101) in order to perform various operations (e.g., registration, approval, authentication, renewal, termination) associated with the network access of the gateway (101).
  • the flow in which the control data packets are transmitted may be referred to as a 'control flow'.
  • the control server (102) may immediately recover a tunnel according to a security event received from a linking system (e.g., gateway), or may immediately recover a tunnel when a target application is terminated, thereby maintaining a secure network state at all times.
  • the above-described structure may be substantially equally applied to the relationship between the connection control application and the control server (102).
  • control server (102) can communicate with the authentication server (104).
  • FIG. 1 illustrates a case where the control server (102) and the authentication server (104) are separated, the present invention is not limited thereto, and the control server (102) and the authentication server (104) may be configured as a single integrated server (e.g., an external server).
  • FIG. 2 is a functional block diagram showing a database stored in a control server (102) according to various embodiments. Although FIG. 2 only shows a memory, the control server (102) may further include a communication circuit for performing communication with an external electronic device and a processor for controlling the overall operation of the control server (102).
  • An administrator can access the control server (102) and set a connection-centric policy to control access between the access control application, gateway (101), and service server, thereby enabling more detailed and safer control of network access than managing sessions at the service level.
  • the access policy database (211) may include at least some of the information for identification of the node (such as unique node identification information, user information corresponding to the node, information about services that the target application of the node can access, etc.) and authentication (such as a certificate). For example, when a network access request is obtained from a target application controlled by the access control application, the control server (102) may determine whether the node, target application, and/or user identified at the time of the network access request can access the destination (such as a service server or gateway (101)) based on the policy of the access policy database (211).
  • the control server (102) may determine whether the node, target application, and/or user identified at the time of the network access request can access the destination (such as a service server or gateway (101)) based on the policy of the access policy database (211).
  • control server (102) may determine whether the node, target application, and/or user identified at the time of the network access request can access the destination (such as a service server or gateway) based on the policy of the access policy database (211) when a network access request is obtained from the target application.
  • control server (102) can check whether connection is possible and generate a data flow based on a method for identifying a connection target and identification information (e.g., an identification method based on a MAC address of a node, an identification method based on authentication information transmitted by a node when requesting network connection, an identification method of an application requesting network connection within a router (201) and thus, destination IP and port information included in an IP header, protocol information (e.g., TCP, UDP, etc.), MAC address, application identification information, IP allocated to the node, received network interface identification information, etc.).
  • a method for identifying a connection target and identification information e.g., an identification method based on a MAC address of a node, an identification method based on authentication information transmitted by a node when requesting network connection, an identification method of an application requesting network connection within a router (201) and thus, destination IP and port information included in an IP header, protocol information (e.g., TCP, UDP, etc.), MAC address
  • the tunnel policy database (212) may include a series of information (e.g., authentication information, encryption algorithm, tunnel endpoint IP, etc.) required to create a tunnel to be connected to a gateway (101) on a connection path according to a connection policy. If a tunnel already connected to another gateway (not shown) on the connection path exists, a series of information (e.g., whether to collect IP information assigned to a node and whether to perform replacement processing) for using it may be included.
  • the control server (102) may provide a tunnel and gateway (101) optimized for the node based on the tunnel policy when a network connection request is made by a node connected to the gateway (101).
  • the authentication policy database (213) may include a series of information related to whether to authenticate network access based on the identification information of a node when a node connected to the gateway (101) accesses the network according to the access policy (211) and, if authentication is performed, the authentication method.
  • the authentication policy database (213) may include certificate information (e.g., Mutual-TLS) previously issued to a connection target (e.g., a node) and may include certificate information (e.g., TLS) for inducing a connection target (e.g., a node) to create a secure session in a proxy included in the gateway (101).
  • certificate information e.g., Mutual-TLS
  • TLS certificate information for inducing a connection target (e.g., a node) to create a secure session in a proxy included in the gateway (101).
  • the protocol policy database (214) may include protocol identification signature information, protocol version information, protocol header information, and agreement information for identifying protocol information included when transmitting and receiving data packets as protocol information that can communicate with the target service.
  • the protocol policy database (214) includes information on whether to process a data packet as a normal protocol by examining the data packet to a certain extent (length) to identify the protocol, information on the timing of a network connection attempt or the protocol examination cycle, information on the protocol examination performing entity, and a series of information related to network connection release, control flow release, and isolation in case of non-compliance with the protocol.
  • the service policy database (215) may include service IP and port information, protocol information (e.g., HTTP, FTP, IoT-specific protocol, etc.) that a connection target (e.g., a node) can access through a proxy (e.g., a proxy included in a gateway (101)) according to the access policy (211).
  • the service policy database (215) may include whether service request filtering is necessary, a service request filtering processing method, filtering information (e.g., personal information, harmful service request information), and a series of information for blocking unnecessary or dangerous service requests in advance in the proxy.
  • the service policy database (215) may include a series of information for setting the number of service requests possible per a certain time unit and adjusting the number of service requests in the proxy accordingly when QoS (Quality of Service) for a service request is required.
  • the control flow table (216) is an example of a session table for managing the flow of control data packets (e.g., control flows) generated between the connection control application and the control server (102).
  • control flow information may be generated by the control server (102).
  • the control flow information may include identification information of the control flow, an IP address identified upon connection and authentication to the control server (102), node identification information, target application identification information, information additionally identified through linkage with the service server, etc.
  • the control server (102) may search for control flow information through the control flow identification information, and may determine (decide) whether the node can connect to the service server, whether to generate a data flow for data packet transmission, etc. by mapping the identification information included in the searched control flow information to the connection policy database (211).
  • a control flow may have an expiration time.
  • the access control application must periodically/aperiodically update the expiration time of the control flow, and if the expiration time is not updated for a certain period of time, the control flow (or control flow information) may be removed.
  • the control server (102) may remove the control flow. If the control flow is removed, previously generated data flows are also removed, so that access to the service server through the corresponding gateway (101) may be blocked.
  • the data flow table (217) is a table for managing the flow (e.g., data flow) of detailed data packets transmitted between a node and a gateway (101), and may include data flow information for managing tunnels and/or sessions in a target application of the node, the gateway (101), and a service server.
  • data flow identification information e.g., ID
  • node identification information e.g., MAC address information
  • the data flow table (217) may include at least a portion of the following: an application and a minimum identification unit of the application; information for the gateway (101) to determine whether network connection is possible based on the source IP, destination IP, and service port information of the data packet; a series of information (authentication information, encryption algorithm, Tunnel End Point IP, etc.) required to create a tunnel with the gateway (101) on the connection path; data flow status information regarding whether the data flow is available; and authentication expiration time information required when periodically authenticating the corresponding data flow.
  • an application and a minimum identification unit of the application information for the gateway (101) to determine whether network connection is possible based on the source IP, destination IP, and service port information of the data packet
  • a series of information authentication information, encryption algorithm, Tunnel End Point IP, etc.
  • the data flow table (217) may include authentication information.
  • the authentication information may include a series of information for checking whether an authorized node has transmitted a data packet, a method for checking authentication information by protocol (e.g., in the case of TCP, TCP SYN packet inspection, in the case of UDP, authentication information inspection by data packet or authentication information inspection at regular intervals (or cycles), inspection method, etc.), information for decrypting authentication information, algorithm information for generating and verifying authentication information, and a series of information included in the algorithm (e.g., information such as Secret Key when generating HMAC OTP, etc.).
  • protocol e.g., in the case of TCP, TCP SYN packet inspection, in the case of UDP, authentication information inspection by data packet or authentication information inspection at regular intervals (or cycles), inspection method, etc.
  • information for decrypting authentication information e.g., information such as Secret Key when generating HMAC OTP, etc.
  • the data flow table (217) may include certificate information issued in advance to process a request for creating a secure session of an authorized connection target (e.g., a node).
  • an authorized connection target e.g., a node
  • the data flow table (217) may include service information.
  • the service information may include service IP and port information that an allowed connection target can access through the proxy, protocol information (e.g., HTTP, FTP, IoT-specific protocol, etc.), whether service request filtering is necessary, a service request filtering processing method, and filtering information (e.g., personal information, harmful service request information).
  • the service information may include a series of information for blocking unnecessary or dangerous service requests in advance in the proxy, and a series of information for setting a number of service requestable times per period when QoS (Quality of Service) for the service request is required, and adjusting the number of service requests in the proxy accordingly.
  • the service information may be generated based on a service policy (318).
  • the data flow table (217) may be identically stored in the node and/or gateway (101) where the access control application is installed.
  • the tunnel table (218) may include identification information of a tunnel created between a target application and a gateway (101), an IP address of the tunnel, etc.
  • the control server (102) may determine whether a tunnel has been created between a target application and a gateway (101) based on the tunnel table (218).
  • the tunnel table (218) is a table for managing tunnels connected between the target application and the gateway (101), and may be configured with a tunnel ID for managing and identifying a tunnel if a valid tunnel exists, a control flow ID for controlling between the gateway (101) and the control server (102), and additional information for managing a TEP (tunnel endpoint), a TSP (tunnel start point), a tunnel algorithm and type, an encryption level, etc.
  • the blacklist database (219) may include a list of targets blocked by the blacklist policy database (220). For example, if the identification information of a target application requesting network access is included in the blacklist database (219), the control server (102) may isolate the target application by denying the network access request.
  • the blacklist policy database (220) may represent a blacklist registration policy for blocking access of a target (e.g., at least one of a node ID (identifier), an IP address, a MAC (media access control) address, and a user) identified through analysis of the risk level, occurrence cycle, and/or behavior of a security event among security events periodically collected from a node or gateway (101).
  • a target e.g., at least one of a node ID (identifier), an IP address, a MAC (media access control) address, and a user
  • FIG. 3 illustrates a functional block diagram of a gateway (101) according to various embodiments.
  • the gateway (101) may include a processor (310), a memory (320), and a communication circuit (330).
  • the processor (310) may control the overall operation of the gateway (101).
  • the processor (310) may include a single processor core or may include a plurality of processor cores.
  • the processor (310) may include a multi-core such as a dual-core, a quad-core, a hexa-core, etc.
  • the processor (310) may further include a cache memory located internally or externally.
  • the processor (310) may be configured with one or more processors.
  • the processor (310) may include at least one of an application processor, a communication processor, or a GPU (graphical processing unit).
  • All or part of the processor (310) may be electrically or operatively coupled with or connected to other components (e.g., memory (320), communication circuitry (330)) within the control server (102).
  • the processor (310) may receive commands from other components of the gateway (101), interpret the received commands, and perform calculations or process data according to the interpreted commands.
  • the processor (310) may interpret and process messages, data, commands, or signals received from the memory (320), communication circuitry (330).
  • the processor (310) may generate new messages, data, commands, or signals based on the received messages, data, commands, or signals.
  • the processor (310) may provide the processed or generated messages, data, commands, or signals to the memory (320), communication circuitry (330).
  • the processor (310) can process data or signals generated or produced by the program. For example, the processor (310) can request a command, data, or signal from the memory (320) to execute or control the program. The processor (310) can record (or store) or update a command, data, or signal to the memory (320) to execute or control the program.
  • the memory (320) can store commands, control command codes, control data, or user data for controlling the gateway (101).
  • the memory (320) can include at least one of an application program, an operating system (OS), middleware, or a device driver.
  • OS operating system
  • middleware middleware
  • device driver a device driver
  • the memory (320) may include one or more of volatile memory or non-volatile memory.
  • the volatile memory may include dynamic random access memory (DRAM), static RAM (SRAM), synchronous DRAM (SDRAM), phase-change RAM (PRAM), magnetic RAM (MRAM), resistive RAM (RRAM), ferroelectric RAM (FeRAM), etc.
  • the non-volatile memory may include read only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), flash memory, etc.
  • the memory (320) may further include a non-volatile medium such as a hard disk drive (HDD), a solid state disk (SSD), an embedded multi media card (eMMC), or a universal flash storage (UFS).
  • a non-volatile medium such as a hard disk drive (HDD), a solid state disk (SSD), an embedded multi media card (eMMC), or a universal flash storage (UFS).
  • HDD hard disk drive
  • SSD solid state disk
  • eMMC embedded multi media card
  • UFS universal flash storage
  • the communication circuit (330) can support the establishment of a wired or wireless communication connection between the gateway (101) and an external electronic device (e.g., the control server, the service server, etc. of FIG. 1), and the performance of communication through the established connection.
  • the communication circuit (330) includes a wireless communication circuit (e.g., a cellular communication circuit, a short-range wireless communication circuit, or a GNSS (global navigation satellite system) communication circuit) or a wired communication circuit (e.g., a LAN (local area network) communication circuit, or a power line communication circuit), and using a corresponding communication circuit among them, communication can be made with an external electronic device through a short-range communication network such as Bluetooth, WiFi direct, or IrDA (infrared data association), or a long-range communication network such as a cellular network, the Internet, or a computer network.
  • the various types of communication circuits (330) described above can be implemented as one chip or can be implemented as separate chips.
  • gateway For reference, the above has described the structure of the gateway (101), but the same/similar description may be applied to the control server (102), nodes (103_1, 103_2), authentication server (104), and/or service server (105_1, 105_2).
  • FIGS. 4A and 4B illustrate operations for controlling transmission of data packets according to various embodiments.
  • connection control application when a network connection request to a service server from a target application (e.g., malware) is detected by the connection control application, and the connection control application or gateway (101) is not connected to the control server (102), the connection control application can block transmission of data packets in a kernel or network driver including an operating system. Through the connection control application, the control server can block connections from malicious nodes in advance in the application layer of the OSI layer.
  • a target application e.g., malware
  • a node (103) connected to a connection control application must perform authentication by connecting to an external server (e.g., control server (102)), and after performing authentication, when connecting to a service server (105), it queries the control server (102) for connection network information to check whether connection is possible, and if connection is possible, it can transmit a data packet to the service server (105).
  • an external server e.g., control server (102)
  • control server (102) queries the control server (102) for connection network information to check whether connection is possible, and if connection is possible, it can transmit a data packet to the service server (105).
  • the gateway (101) can confirm the data packet received from the target application through an external server (e.g., control server (102)), and if it is a data packet transmitted by an authorized target application, it can allow transmission of a response data packet to the target application. For example, the gateway (101) can confirm whether a tunnel has been created with the target application from which the data packet has been received, and can forward the data packet to the destination only if a tunnel has been created. As a result, unauthorized nodes are basically unable to communicate with each other, and even authorized nodes cannot transmit and receive data packets if a tunnel determined by the control server (102) is not created.
  • an external server e.g., control server (102)
  • the gateway (101) can determine whether the node and/or the target application is authenticated, and if the node and/or the target application is not authenticated, can drop the data packet.
  • Figure 5 is a drawing for explaining the operation of the gateway (101) according to the target application type.
  • the gateway (101) can check whether the service request is in accordance with a universal protocol. If it is a universal protocol (e.g., IETF RFC standard protocols such as HTTP and FTP) that can be processed by the proxy of the gateway (101), the gateway (101) can perform detailed service access control by data flow. On the other hand, in the case of a native protocol that cannot be processed by the proxy, the gateway (101) can perform access control and data packet inspection by data flow.
  • a universal protocol e.g., IETF RFC standard protocols such as HTTP and FTP
  • Figure 6 schematically illustrates the process of forwarding data packets from a node where an access control application is not installed.
  • a node (103) on which an access control application is not installed may transmit a series of data packets for accessing a service server, and the data packets may pass through a gateway (101) located at the boundary between the service server and the node.
  • the gateway (101) can check whether the data packet is transmitted from a node (103) on which the access control application is not installed by referring to the data flow information obtained from the control server (102). If it is confirmed that the data packet is transmitted from a node (103) on which the access control application is not installed, the gateway (101) can check whether there is a data flow that can access the service server IP and port based on the source IP (e.g., node IP).
  • the source IP e.g., node IP
  • the gateway (101) can forward the data packet to the service server based on the data flow obtained from the control server (102). At this time, by updating the time or Timestamp information corresponding to the last data packet forwarding time, the control server (102) can be made aware that the node (103) is continuously performing network access through periodic data flow synchronization between the gateway (101) and the control server (102).
  • the node (103) may be considered as an unauthenticated node.
  • the gateway (101) may check whether the data packet obtained from the node (103) is a data packet of an authenticable protocol (e.g., a data packet using the HTTP protocol) in order to induce the node (103) to install an access control application or to communicate with an authentication server (104) for separate authentication.
  • an authenticable protocol e.g., a data packet using the HTTP protocol
  • the data packet is forwarded to an external server (e.g., an authentication server (104)) by performing NAT (Network Address Translation) processing on the destination IP and port included in the IP header of the data packet based on external server IP and external server port information, and in operation 630, the authentication server (104) can receive the data packet.
  • an authenticable protocol e.g., a data packet using the HTTP protocol
  • the gateway (101) can drop the data packet, but is not limited thereto, and similarly to the case of a data packet of an authenticable protocol, it can also be forwarded to the authentication server (104) after NAT processing.
  • Figure 7 schematically illustrates the authentication processing process when a node (103) on which an access control application is not installed transmits a service request.
  • a node (103) on which an access control application is not installed may attempt to access a service by executing an application, and may transmit a service request accordingly in operation 710.
  • the service request of the node (103) may be forwarded to an external server (e.g., an authentication server (104)) after NAT processing through the gateway (101).
  • an external server e.g., an authentication server (104)
  • the present invention is not limited thereto, and the node (103) may also directly transmit a service request to the authentication server (104).
  • the authentication server (104) may receive a service request, and in operation 725, return authentication-related service information for installing an access control application or performing separate authentication to the node (103).
  • the node (103) receives the service connection result, and may attempt to connect to the network by installing a connection control application according to the received service connection result (e.g., authentication-related service information) or perform network connection through an authentication procedure. This will be described with reference to FIG. 8.
  • a connection control application e.g., authentication-related service information
  • Figure 8 schematically illustrates authentication-related service information output through the display of a node.
  • a node (user) can perform an authentication procedure by (i) installing a connection control application (network connection control application) based on the authentication-related service information illustrated in Fig. 8, or (ii) using a separate authentication method (user ID-based authentication, QR authentication, Multi Factor Authentication, etc.) provided by an authentication server (104).
  • the control server (102) When authentication for a node is completed, the control server (102) generates data flow information including information on a service server to which the node can connect and transmits it to the gateway (101), after which the node can connect to the service server.
  • Figure 9 schematically illustrates a process in which a node (103) performs an authentication procedure according to a separate authentication method provided by an external server (e.g., an authentication server (104)).
  • an external server e.g., an authentication server (104)
  • a node (103) when a node (103) transmits an authentication request to an external server (e.g., an authentication server (104)), it may be transmitted to a gateway (101) as in operation 905, and then forwarded to the authentication server (104) after NAT processing through the gateway (101) in operation 910, but is not limited thereto, and the node (103) may also directly transmit an authentication request to the authentication server (104).
  • an external server e.g., an authentication server (104)
  • processing for the authentication request may be performed by an authentication server (104) or a control server (102) including an authentication server function, and in operation 920, the authentication server (104) may perform processing for the authentication request by processing an authentication request received from a node (103) or an authentication request by another authentication system (e.g., Multi Factor Authentication, etc.) connected to the authentication server (104).
  • an authentication server (104) or a control server (102) including an authentication server function in operation 915, processing for the authentication request may be performed by an authentication request received from a node (103) or an authentication request by another authentication system (e.g., Multi Factor Authentication, etc.) connected to the authentication server (104).
  • another authentication system e.g., Multi Factor Authentication, etc.
  • the authentication server (104) can check the information related to the authentication request transmitted by the node (103), and if authentication fails, return authentication failure information to the node (103).
  • the authentication server (104) can request authentication to the control server (102) based on node identification information (operating system information of the node that has been authenticated, terminal type information, etc.), source IP information, user identification information, etc. identified during the authentication process.
  • node identification information operating system information of the node that has been authenticated, terminal type information, etc.
  • source IP information source IP information
  • user identification information etc. identified during the authentication process.
  • the control server (102) can generate a control flow based on authentication request information (node identification information (operating system information of an authenticated node, terminal type information, etc.), source IP information, user identification information, etc.) received from the authentication server (104) and add it to the control flow table.
  • authentication request information node identification information (operating system information of an authenticated node, terminal type information, etc.), source IP information, user identification information, etc.) received from the authentication server (104) and add it to the control flow table.
  • control server (102) checks whether there is a service server that the node (103) can connect to by looking up the connection policy database, and if there is a service server that can connect, the source IP, destination IP, service port information, and information for checking the protocol of the data packet transmitted and received between the service servers so that the node (103) can connect to the service server, including protocol identification signature and version information, header information, and protocol information included when transmitting and receiving the data packet, and information on whether to process the data packet to a certain extent (length) to identify the protocol and whether to process it as a normal protocol, information on whether to check the protocol at the time of a network connection attempt or periodically, and status information on whether the check is completed or whether more checks are needed, and service IP and port information that can be accessed through the proxy included in the gateway (101), protocol information (e.g., HTTP, FTP, IoT-specific protocol, etc.), and whether service request filtering is necessary, service request filtering processing method, filtering information (e.g., personal information
  • the node (103) can access the service server with the second access right (e.g., minimum access right) without installing the access control application.
  • the second access right e.g., minimum access right
  • a node (103) can transmit a deauthentication request to an external server (e.g., an authentication server (104)) through an authentication deauthentication request function.
  • an external server e.g., an authentication server (104)
  • a related data packet can be forwarded to the authentication server after NAT processing at the gateway (101) as in operation 1010.
  • the present invention is not limited thereto, and the node (103) can also transmit a deauthentication request to the authentication server (104).
  • the authentication server (104) receives a deauthentication request, and the deauthentication request processing can be performed by the authentication server (104) or the control server (102) including the authentication server function, and in operation 1020, the authentication server (104) can process the deauthentication request by processing the deauthentication request received from the node (103) or the deauthentication request of another authentication system (e.g., Multi Factor Authentication, etc.) connected to the authentication server (104).
  • the deauthentication request processing can be performed by the authentication server (104) or the control server (102) including the authentication server function
  • the authentication server (104) can process the deauthentication request by processing the deauthentication request received from the node (103) or the deauthentication request of another authentication system (e.g., Multi Factor Authentication, etc.) connected to the authentication server (104).
  • another authentication system e.g., Multi Factor Authentication, etc.
  • the authentication server (104) can check information related to the deauthentication request transmitted by the node (103), and if the deauthentication request fails, return deauthentication failure information to the node (103).
  • the authentication server (104) may request the control server (102) to deauthenticate the node (103) based on the identified node identification information (operating system information of the authenticated node, terminal type information, etc.), source IP information, user identification information, etc.
  • the identified node identification information operating system information of the authenticated node, terminal type information, etc.
  • source IP information source IP information
  • user identification information etc.
  • control server (102) removes the control flow according to the authentication de-authentication request information (node identification information (operating system information of the node that has been authenticated, terminal type information, etc.), source IP information, user identification information) received from the authentication server (104), and can remove a series of data flow information dependent on the control flow.
  • authentication de-authentication request information node identification information (operating system information of the node that has been authenticated, terminal type information, etc.), source IP information, user identification information) received from the authentication server (104), and can remove a series of data flow information dependent on the control flow.
  • control server (102) can propagate the removed data flow information to the gateway (101), and in operation 1040, the result of processing the deauthentication request can be returned to the authentication server (104).
  • the authentication server (104) returns the result of the deauthentication request processing to the node (103), and if the deauthentication is completed, the node (103) may be in a state where it can access the service server only after installing an access control application or performing a separate authentication process.
  • FIG. 11 illustrates data packets according to various embodiments related to authentication information required to create a logical connection.
  • a UDP data packet (1110) including node (terminal) header information may include an IP header, a node header (Device Header), and a payload.
  • the node header (1130) may include node identification information and node authentication information.
  • a TCP data packet (1120) including node header information may include an IP header, a TCP header, a node header, and a payload.
  • the node header (1130) may include node identification information and node authentication information.
  • node authentication information may be information for commonly authenticating all network connections transmitted from a node (103) or for authenticating network connection units (destination IP and port).
  • the node (103) may generate a node header and include it in a data packet based on at least one of a method of inserting node identification information and authentication information previously provided from the control server (102) (e.g., in the case of TCP, inserting a TCP SYN packet, in the case of UDP, inserting authentication information for each data packet or inserting authentication information at regular intervals (or cycles), insertion method and timing, etc.), information for encrypting authentication information, information on an algorithm for generating authentication information, and a series of information included in the algorithm (e.g., information such as a Secret Key when generating HMAC OTP).
  • the node header included in the data packet may be checked to determine whether it is a normally transmitted data packet by performing authentication by the gateway (101) or the control server (102).
  • Figure 12 schematically illustrates a connection step of a node (103) on which a connection control application is installed to an external server (e.g., a control server (102)).
  • an external server e.g., a control server (102)
  • a connection control application installed on a node (103) may request a connection to a control server (102) to create a control flow (control data packet flow and a series of sessions).
  • the control server (102) verifies the connection request, and based on a policy database (e.g., a connection policy database, a tunnel policy database, a blacklist database, etc.), the access control application can refer to the information requested for connection (type of node, location information, environment and network including the node, access control application information, user or device authentication information for identifying whether the node is an authorized node, etc.) to verify whether the node (103) is in a connectable state, and can check whether node and network identification information (node ID, IP, MAC address, etc.) is included in a blacklist.
  • a policy database e.g., a connection policy database, a tunnel policy database, a blacklist database, etc.
  • the access control application can refer to the information requested for connection (type of node, location information, environment and network including the node, access control application information, user or device authentication information for identifying whether the node is an authorized node, etc.) to verify whether the node (103) is in a connectable state
  • connection to node (103) is impossible or included in a blacklist, the control server (102) transmits connection impossibility information to node (103), and node (103) can stop and terminate execution of the connection control application or output related error information.
  • control server (102) can generate a control flow, generate a control flow ID in the form of a random number, and add node and network identification information (node ID, IP, MAC address, etc.) to the control flow table.
  • control server (102) can refer to the access policy database and tunnel policy database that match the identified information (node, source network information, etc.) to check whether there is destination network information that the currently connected node (103) can basically connect to, and generate a whitelist of applications that can connect.
  • the control server (102) can return a control flow ID and application whitelist information for identifying the control flow.
  • control server (102) lists the types of tunnels and gateways (101) that can be connected to the node (103) by referring to the type of the node (103), location information, environment, and information such as the network in which the node (103) is included, the IP of the node (103), and can identify the optimal tunnel and optimal gateway by checking the status (throughput, failure status) of the listed gateways.
  • control server (102) can transmit a series of information, such as a gateway and tunnel authentication for creating a tunnel, to the node (103).
  • the node (103) requests tunnel creation to the corresponding gateway (101) based on a series of information required for tunnel creation, such as a gateway for tunnel creation and tunnel authentication, received from the control server (102), thereby creating a tunnel.
  • control server (102) can obtain tunnel creation completion information and/or dedicated IP information set according to tunnel creation, register the tunnel dedicated IP and the corresponding tunnel creation information in the tunnel table, and update a series of information transmitted by the node (103) in the control flow.
  • control server (102) may not transmit separate tunnel creation information to the node (103). If tunnel creation is not required, an application whitelist check may be performed.
  • the control server (102) checks the gateway where the node is located by referring to the access policy database and the service policy database in order to allow access of a node connected to the network according to the application installation list transmitted by the node (103), and allows the node to allow network access without a network access request procedure, and includes protocol identification signatures and version information, header information, and protocol information included when transmitting and receiving data packets as information for examining the protocol of the data packets transmitted and received by the application, and information on whether to examine the data packets to a certain extent (length) to identify the protocol and process them as a normal protocol, whether the network access control application will perform the protocol inspection or whether to transmit the data packet information to the controller, information on whether to examine the protocol at the time of a network access attempt or periodically, and status information on whether the inspection has been completed or whether more inspection is needed, and service IP and port information that can be accessed through a proxy included in the gateway, and protocol information (e.g., HTTP, FTP, IoT).
  • protocol information e.g.,
  • the data flow information includes information on whether filtering of a service request is required (e.g., a dedicated protocol, etc.), a method for processing service request filtering, filtering information (e.g., personal information, information on harmful service requests), a series of information for blocking unnecessary or dangerous service requests in advance at the proxy, a series of information for setting the number of possible service requests per unit of time and adjusting the number of service requests at the proxy accordingly when QoS (Quality of Service) for the service request is required, certificate information for verifying whether the access target is an allowed target when creating a security session, etc., and in operations 1245 and 1250, the information is transmitted to the node (103) and the gateway, and in operation 1255, the gateway (101) can receive the data flow information.
  • filtering information e.g., personal information, information on harmful service requests
  • a series of information for blocking unnecessary or dangerous service requests in advance at the proxy e.g., personal information, information on harmful service requests
  • the node (103) and/or gateway (101) when the node (103) and/or gateway (101) receives updated data flow information from the control server (102), it can update the data flow information by referring to it.
  • Figure 13 schematically illustrates the user authentication step of a node (103) on which an access control application is installed.
  • the access control application of the node (103) may request user authentication by transmitting authentication information using a user ID and password or an enhanced authentication method after creating a control flow with an external server (e.g., control server (102)).
  • an external server e.g., control server (102)
  • the control server (102) receives a user authentication request, and checks whether the user of the corresponding node (103) is a user who can access based on the information (user ID and password, reinforced authentication information, etc.) requested for authentication by the access control application, and whether the user is included in a blacklist, thereby checking whether the user is blocked, and if access is not possible or included in a blacklist, information on inaccessibility can be transmitted to the node (103).
  • control server (102) can search for a corresponding control flow in the control flow table by referencing the control flow ID, add user identification information (user ID) to the identification information of the control flow, and return an authentication completion status and access policy information of the authenticated user to the node (103) as a result of user authentication.
  • control server (102) can refer to the access policy database and tunnel policy database that match the identified information (node, source network information, etc.) to check whether there is destination network information to which the currently connected node (103) can connect, and generate a whitelist of applications that can connect.
  • the node (103) can list the types of tunnels and gateways that the node (103) can connect to through the type, location information, environment, network that the node is included in, etc. of the node (103) included in the control flow to connect to the destination network, the IP of the node identified through the control server (102), and the IP of the node identified in the node, etc., and the status (throughput, failure status) of the listed gateways can be checked to identify the optimal tunnel and the optimal gateway.
  • control server (102) can transmit a series of information, such as a gateway and tunnel authentication for creating a tunnel, to the node (103).
  • the node (103) processes the result value of the user authentication request processing received from the control server (102), and if tunnel creation is required, a tunnel can be created by requesting tunnel creation to the gateway (101) based on a series of information required for tunnel creation, such as the gateway (101) for tunnel creation and tunnel authentication received from the control server (102).
  • the node (103) can transmit tunnel creation completion information and IP information, if there is a dedicated IP set according to tunnel creation, to the control server (102).
  • the control server (102) In operation 1335, when an application whitelist is received from the control server (102), the result of checking whether the corresponding application is installed in the node (103) can be transmitted to the control server (102).
  • control server (102) can register the tunnel-only IP assigned to the node (103) and the corresponding tunnel creation information in the tunnel table and update a series of information transmitted by the node (103) to the identified control flow.
  • the gateway where the node is located is verified in the access and service policy, and the information for checking the protocol of the data packet transmitted and received by the application, such as the source IP, destination IP, service port information, and protocol information included when transmitting and receiving the data packet so that the node can allow network access without a network access request procedure, the protocol identification signature and version information, header information, and protocol information, etc.
  • protocol information for identifying the protocol included when transmitting and receiving the data packet, and information on whether to inspect the data packet to a certain extent (length) as necessary to identify the protocol and process it as a normal protocol, whether the protocol inspection will be performed by the access control application or performed by transmitting the data packet information to the controller, information on whether to inspect the protocol at the time of a network access attempt or periodically, and status information on whether the inspection has been completed or whether more inspection is needed, and the service IP and port information that can be accessed through the proxy included in the gateway, protocol information (e.g., HTTP, FTP, IoT-specific protocol, etc.), and whether service request filtering is necessary, service request filtering processing method, and filtering.
  • protocol information e.g., HTTP, FTP, IoT-specific protocol, etc.
  • the data flow information may be generated to include information (e.g., personal information, harmful service request information), a series of information for blocking unnecessary or dangerous service requests in advance from the proxy, a series of information for setting the number of possible service requests per certain time unit and adjusting the number of service requests from the proxy accordingly when QoS (Quality of Service) for the service request is required, and certificate information for verifying whether the access target is an allowed target when creating a security session.
  • information e.g., personal information, harmful service request information
  • a series of information for blocking unnecessary or dangerous service requests in advance from the proxy e.g., a series of information for blocking unnecessary or dangerous service requests in advance from the proxy
  • a series of information for setting the number of possible service requests per certain time unit and adjusting the number of service requests from the proxy accordingly when QoS (Quality of Service) for the service request is required
  • certificate information for verifying whether the access target is an allowed target when creating a security session.
  • the control server (102) can obtain tunnel creation completion information and/or dedicated IP information set according to tunnel creation, register the tunnel dedicated IP allocated to the node (103) and the corresponding tunnel creation information in the tunnel table, and update a series of information transmitted by the node (103) to the identified control flow.
  • the node (103) can refer to it and update the data flow information stored in the node (103).
  • Figure 14 schematically illustrates the network connection processing steps of a node (103) on which a connection control application is installed.
  • the access control application of the node (103) can detect the network access of the target application.
  • it can be checked whether data flow information exists based on the target application identification information, destination IP, and port information to communicate with the destination network (1410). If a valid data flow exists, the access control application can transmit a data packet to the gateway. If the data flow exists but is invalid (e.g., in a state where transmission is not possible or network access has been rejected by the control server (102) in the past), the data packet can be dropped.
  • a network connection request may be sent.
  • control server (102) can refer to a connection policy database that matches the information (node, application, source network information, etc.) identified in the control flow to check whether the requested connection identification information (destination IP and service port information, etc.) is included and whether connection to a service server mapped to the corresponding identification information is possible.
  • control server (102) may transmit a connection failure result to the node (103), which may cause data packets to be dropped.
  • control server (102) can check whether a tunnel has been created in the tunnel table to connect to the network.
  • control server (102) refers to at least a part of the tunnel policy database and the protocol policy database to check whether a tunnel must be created in order to access the corresponding service, and if it is confirmed that a tunnel must be created, the control server (102) can transmit a connection failure result to the node (103).
  • control server (102) can check whether there is a valid data flow corresponding to the information (destination IP and service port information, etc.) requested for connection by the node (103) in the data flow table.
  • the corresponding information can be transmitted to the node (103) and/or gateway (101).
  • the control server (102) includes protocol information including a source IP, a destination IP, service port information, protocol information included when transmitting and receiving data packets as information for examining the protocol of the data packets transmitted and received by the corresponding application, a protocol identification signature and version information, header information, and protocol information, and information on whether to examine the data packets to a certain extent (length) to identify the protocol and process them as a normal protocol, whether the protocol examination will be performed by the network access control application or performed by transmitting data packet information to the controller, information on whether to examine the protocol at the time of a network access attempt or periodically, and status information on whether the examination is completed or further examination is required, and service IP and port information that can be accessed through a proxy included in the gateway, protocol information (e.g., HTTP, FTP, IoT-only protocol, etc.), and whether service request filtering is necessary, a service request filtering processing method, and filtering information (e.g., personal information, harmful service request information), and
  • protocol information e.g., HTTP, F
  • a data flow information including a series of information for setting the number of possible service requests per a certain time unit and adjusting the number of service requests from a proxy accordingly, certificate information for verifying whether the connection target is an allowed target when creating a security session, etc. is generated, and in operation 1440, the corresponding information is transmitted to a gateway (101), and in operation 1435, the result of processing a network connection request can be transmitted to a node (103).
  • connection control application can process the connection request result value received from the control server (102).
  • the access control application can update the data flow information stored in the node (103), and if the network access request is successful, the data packet can be transmitted to the gateway (101).
  • Figure 15 schematically illustrates a tunneling-based data packet forwarding process of a node (103) on which an access control application is installed.
  • the node (103) may request tunnel creation to the gateway (101) based on a series of information required for tunnel creation, such as tunnel authentication and gateway (101) for tunnel creation, received from an external server (e.g., control server (102)).
  • an external server e.g., control server (102)
  • the gateway (101) can perform a data flow inspection, and can check whether the data packet received from the node (103) is a data packet for tunnel creation processing, and whether the port on which the tunneling-related module existing in the gateway (101) is receiving is confirmed, and if it is confirmed that the port on which the tunneling-related module is receiving is confirmed, the data packet is forwarded and, in operation 1515, the tunnel creation is processed by referring to the data packet related to the tunnel creation request, and, in operation 1520, the tunnel creation result can be transmitted to the node (103).
  • the gateway (101) can drop the data packet.
  • the node (103) receives the tunnel creation result, and if tunnel creation is completed, in operation 1530, it can perform connection (data packet transmission) to the service server based on tunneling.
  • the gateway (101) can perform a data flow inspection and, based on the tunneling IP assigned to the node (103), can determine whether the node (103) can connect to the service server by referring to the accessible data flow information received from the control server (102). In operation 1540, if the connection is possible, the data packet is forwarded to the service server, and in operation 1545, the service server can receive the data packet.
  • the gateway (101) can drop the data packet.
  • Figure 16 schematically illustrates a data packet forwarding process based on data packet authentication of a node (103) on which an access control application is installed.
  • a logical connection e.g., TCP authentication-based TCP Session creation, UDP authentication-based UDP related Session or flow creation, etc.
  • the node (103) may request the service server to create a logical connection based on a series of information required for creating authentication information for logical connection authentication received from the control server (102).
  • the gateway (101) can perform a data flow inspection, and, in order to verify a series of data packets for a logical connection received from a node (103), can check whether authentication information for the logical connection is valid based on authentication information received from the control server (102), and can check whether connection to the service server is possible with the authentication information.
  • the gateway (101) forwards the data packet to the service server, and if the authentication information is invalid or the network connection request is from a service server that cannot be connected with the authentication information, the gateway (101) can drop the data packet.
  • a logical connection is created, and in operation 1625, a result of creating the logical connection is transmitted to the node (103), and when the node (103) receives the result of creating the logical connection in operation 1630, in operation 1635, the node (103) can transmit a data packet to the service server based on the logical connection.
  • the gateway (101) examines data flow information received from the control server (102) based on logical connection information assigned to the node (103), and in operation 1645, if the node (103) can connect to the service server, forwards the data packet to the service server, and in operation 1650, the service server can receive the data packet.
  • the gateway (101) may drop the data packet.
  • the gateway (101) can perform network access and data packet transmission control only for nodes (103) to which authentication-based logical connections have been granted.
  • FIG 17 is a flow chart schematically illustrating the process by which a gateway (101) examines a protocol.
  • the gateway (101) may receive a data packet transmission event from the network kernel of the operating system, and in operation 1710, may perform a data flow inspection.
  • the gateway (101) can check whether data flow information exists by using one or more of the destination IP and port information, protocol information (e.g., TCP, UDP, etc.), and source IP or logical connection information included in the received IP header.
  • protocol information e.g., TCP, UDP, etc.
  • the gateway (101) may drop the data packet.
  • the gateway (101) can determine whether a protocol inspection is necessary based on a protocol inspection status (whether a protocol inspection is necessary, whether a protocol inspection is completed by inspection of a previous data packet transmission, whether a protocol inspection is necessary periodically, etc.) included in the protocol information included in the data flow.
  • a protocol inspection status whether a protocol inspection is necessary, whether a protocol inspection is completed by inspection of a previous data packet transmission, whether a protocol inspection is necessary periodically, etc.
  • the gateway (101) can forward the data packet to the service server.
  • protocol inspection can be performed by a gateway (101) or an external server (e.g., a control server (102)).
  • a gateway (101) or an external server (e.g., a control server (102)).
  • the gateway (101) checks whether the data packet contains or complies with a signature and version information, header information, and protocol information for identifying whether the data packet is an allowed protocol based on information for inspecting the protocol of the data packet included in the data flow, and can inspect the data packet up to the inspection range (length) included in the protocol information as necessary.
  • protocol check If the protocol check is successful, the protocol check status changes to completed, and data packets can be forwarded.
  • the gateway can drop the corresponding data packet, remove the data flow, and in operation 1730, transmit the protocol inspection result including the control flow identification information to the control server (102).
  • the control server (102) can receive the protocol inspection result and determine the level of risk by referring to the corresponding protocol policy database and blacklist policy database.
  • control server (102) can remove the corresponding data flow and propagate the updated data flow to the gateway (101).
  • the control server (102) can remove the control flow and tunnel so that the corresponding node (103) can no longer maintain network connection, and propagate the updated control flow, data flow, and tunnel information to the gateway (101).
  • the control server (102) can add the identified node (103) to a blacklist so that it can no longer access after performing the above-described control flow removal procedure.
  • gateway (101) can process the result value upon receiving the protocol inspection result transmission result from the control server (102).
  • the gateway (101) may collect all data packets or, if necessary, up to the inspection range (length) included in the protocol information to identify whether the data packet is an allowed protocol based on information for inspecting the protocol of the data packet included in the data flow.
  • the gateway (101) can request a protocol inspection to the control server (102) including the collected data packets and data flow identification information.
  • the control server (102) can check whether the data packet contains or complies with the signature and version information, header information, and protocol information based on the identified data flow information and the protocol information included in the data flow.
  • control server (102) can change the inspection status of the received data packet of the data flow to complete and return the updated data flow information to the gateway (101).
  • the control server (102) can determine whether there is a risk based on the protocol policy and blacklist policy according to the protocol inspection result. If the risk is low, the control server (102) can remove the data flow and transmit the updated data flow information to the gateway (101). On the other hand, if the risk is high, the control server (102) can remove the control flow and tunnel so that the corresponding node (103) can no longer maintain network connection, and transmit the updated control flow, data flow, and tunnel information to the gateway (101). If the risk is severe, the control server (102) can add the corresponding node (103) to the blacklist so that it can no longer access after performing the above-mentioned control flow removal procedure.
  • FIG 18 is a flow chart schematically illustrating the process by which a gateway (101) processes a service request.
  • a proxy included in the gateway (101) can perform a data flow inspection to check whether data flow information exists by using the destination IP and port information and protocol information (e.g., TCP, UDP, etc.) included in the received IP header.
  • protocol information e.g., TCP, UDP, etc.
  • the gateway (101) may reject the service request.
  • the gateway (101) can check whether service information allowing the service request exists in the data flow information based on the destination IP or domain identification information and port information included in the received service request header.
  • the gateway (101) may reject the service request.
  • the gateway (101) can check whether QoS is required through the service request QoS information included in the service information.
  • the gateway (101) can perform service request QoS processing.
  • the gateway (101) can check the number of service requests per a certain time period included in the service request QoS information, and if it is confirmed that the number of service requests exceeds the allowable number of service requests per a certain time period, the gateway (101) can delay the service request for a certain time period and then process it, or reject the service request to induce a service re-request, according to the service request QoS method.
  • the gateway (101) can filter service request information and, through service filtering information included in the service information, determine whether the protocol of the service request (e.g., HTTP, FTP, or a dedicated protocol for IoT devices, etc.) is normal.
  • the protocol of the service request e.g., HTTP, FTP, or a dedicated protocol for IoT devices, etc.
  • the gateway (101) may reject the service request.
  • the gateway (101) can replace the request information through replacement information or rules included in the service filtering information and transmit the service request if replacement of the information is required.
  • the gateway (101) can transmit the service request.
  • the gateway (101) may reject transmission of the service request.
  • the gateway (101) can generate authentication information using an authentication information generation algorithm and additional information included in the authentication information of the data flow. Thereafter, the authentication information can be encrypted using an encryption algorithm and an encryption key included in the authentication information. Then, in operation 1825, the gateway (101) can insert a data flow header that combines the encrypted authentication information and the data flow identification information into the service request information according to the protocol specification of the service application, and in operation 1830, can transmit the service request.
  • the gateway (101) can reflect the number of times the service request is processed in the QoS statistical information included in the service information in the data flow.
  • the gateway (101) can update the data flow through the following process.
  • the gateway (101) updates the processing time or Timestamp information when forwarding a data packet or service request from a node (103) based on the data flow received from the control server (102), and may periodically request the control server (102) to update the data flow information.
  • control server (102) can check whether data flow information exists by referring to the received data flow identification information.
  • a data flow does not exist, it means that the node (103) has terminated the network connection, so the control server (102) can return invalid data flow information to the gateway (101) so that access with the data flow information through the gateway (101) is no longer possible.
  • control server (102) checks the last connection processing time of the data flow, and if the time available after the first authentication has expired according to the authentication policy and re-authentication is required, or if the connection of the node (103) has been released, the data flow and control flow of the corresponding node (103) can be removed, and since the corresponding node (103) has terminated the network connection, invalid data flow information can be returned to the gateway (101) so that the corresponding gateway (101) can no longer be connected.
  • the gateway (101) can delete invalid data flows based on the received data flow information.
  • a proxy included in a gateway (101) can insert data flow header information that can identify a service request target from a service server based on authentication information included in a data flow into a portion suitable for the protocol of the service application (e.g., a header area in the case of HTTP) and retransmit the data flow header information to the service server, and return a response value of the service server for the service request to the node (103).
  • a portion suitable for the protocol of the service application e.g., a header area in the case of HTTP
  • a data flow header can be inserted to verify whether a data packet received from a control server (102) is an authenticated data packet in a data packet flow between a node (103), a gateway (101), and a service server.
  • These data flow headers may include data flow identification information and encrypted authentication information.
  • the service server queries the control server (102) using the data flow identification information included in the data flow header to check whether an authenticated target has connected, and receives additional information about the authenticated target stored by the control server (102) to perform authentication processing.
  • encrypted authentication information in addition to the data flow identification information included in the data flow header, can be used to verify whether an authenticated gateway (101) forwarded the service request.
  • an authenticated target i.e., when a data flow exists
  • Decrypted authentication information may include information in the form of a One-Time Password (OTP) and Random Generation that changes at each authentication time, rather than being a fixed value at each data packet authentication time, such as data flow identification information.
  • OTP One-Time Password
  • Random Generation Random Generation that changes at each authentication time, rather than being a fixed value at each data packet authentication time, such as data flow identification information.
  • the gateway (101) can generate OTP information that changes at each service request forwarding time based on information for OTP generation and verification included in the authentication information of the data flow, and forward service request information including data flow header information in which data flow identification information is inserted by encrypting the corresponding value.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Multimedia (AREA)
  • Automation & Control Theory (AREA)
  • Computing Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)

Abstract

Selon un mode de réalisation divulgué dans le présent document, une passerelle peut comprendre un circuit de communication, une mémoire et un processeur couplé fonctionnellement au circuit de communication et à la mémoire, le processeur étant configuré pour : recevoir un paquet de données pour une demande de service provenant d'un nœud ; identifier si un flux de données correspondant au paquet de données existe ; lorsqu'il est identifié que le flux de données existe, transférer le paquet de données à un réseau de destination du paquet de données ; lorsqu'il est identifié que le flux de données n'existe pas, transférer le paquet de données à un serveur externe ; et après le transfert du paquet de données au serveur externe, recevoir des informations sur le flux de données provenant du serveur externe selon un résultat d'authentification pour le nœud.
PCT/KR2024/002268 2023-02-21 2024-02-21 Système de commande d'accès au réseau et procédé associé WO2024177382A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
KR1020230022774A KR102612535B1 (ko) 2023-02-21 2023-02-21 네트워크 접속을 제어하기 위한 시스템 및 그에 관한 방법
KR10-2023-0022774 2023-02-21

Publications (1)

Publication Number Publication Date
WO2024177382A1 true WO2024177382A1 (fr) 2024-08-29

Family

ID=89159560

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2024/002268 WO2024177382A1 (fr) 2023-02-21 2024-02-21 Système de commande d'accès au réseau et procédé associé

Country Status (2)

Country Link
KR (1) KR102612535B1 (fr)
WO (1) WO2024177382A1 (fr)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102612535B1 (ko) * 2023-02-21 2023-12-12 프라이빗테크놀로지 주식회사 네트워크 접속을 제어하기 위한 시스템 및 그에 관한 방법

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20150060050A (ko) * 2013-11-25 2015-06-03 한국전자통신연구원 네트워크 장치 및 네트워크 장치의 터널 형성 방법
KR20150116170A (ko) * 2014-04-07 2015-10-15 한국전자통신연구원 다중 데이터 보안 터널을 구성하는 무선 접속 장치, 그를 포함하는 시스템 및 그 방법
KR102349038B1 (ko) * 2021-09-02 2022-01-11 프라이빗테크놀로지 주식회사 분산 게이트웨이 환경에 최적화된 터널링 및 게이트웨이 접속 시스템 및 그에 관한 방법
KR102377246B1 (ko) * 2021-06-10 2022-03-23 프라이빗테크놀로지 주식회사 컨트롤러 기반의 네트워크 접속을 제어하기 위한 시스템 및 그에 관한 방법
KR102460696B1 (ko) * 2022-05-13 2022-10-31 프라이빗테크놀로지 주식회사 컨트롤러 기반의 네트워크 접속을 제어하기 위한 시스템 및 그에 관한 방법
KR102612535B1 (ko) * 2023-02-21 2023-12-12 프라이빗테크놀로지 주식회사 네트워크 접속을 제어하기 위한 시스템 및 그에 관한 방법

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20150060050A (ko) * 2013-11-25 2015-06-03 한국전자통신연구원 네트워크 장치 및 네트워크 장치의 터널 형성 방법
KR20150116170A (ko) * 2014-04-07 2015-10-15 한국전자통신연구원 다중 데이터 보안 터널을 구성하는 무선 접속 장치, 그를 포함하는 시스템 및 그 방법
KR102377246B1 (ko) * 2021-06-10 2022-03-23 프라이빗테크놀로지 주식회사 컨트롤러 기반의 네트워크 접속을 제어하기 위한 시스템 및 그에 관한 방법
KR102349038B1 (ko) * 2021-09-02 2022-01-11 프라이빗테크놀로지 주식회사 분산 게이트웨이 환경에 최적화된 터널링 및 게이트웨이 접속 시스템 및 그에 관한 방법
KR102460696B1 (ko) * 2022-05-13 2022-10-31 프라이빗테크놀로지 주식회사 컨트롤러 기반의 네트워크 접속을 제어하기 위한 시스템 및 그에 관한 방법
KR102612535B1 (ko) * 2023-02-21 2023-12-12 프라이빗테크놀로지 주식회사 네트워크 접속을 제어하기 위한 시스템 및 그에 관한 방법

Also Published As

Publication number Publication date
KR102612535B1 (ko) 2023-12-12

Similar Documents

Publication Publication Date Title
WO2021060854A1 (fr) Système de commande d'accès réseau et procédé associé
WO2023163509A1 (fr) Système de commande de connexion de réseau reposant sur un dispositif de commande et procédé associé
WO2022231306A1 (fr) Système de commande de connexion réseau basée sur un contrôleur et procédé correspondant
WO2023033586A1 (fr) Système de commande d'accès réseau d'une application d'après une commande de session tcp, et procédé associé
WO2023038387A1 (fr) Système de commande d'accès réseau d'application sur la base d'un flux de données, et procédé associé
WO2023146308A1 (fr) Système de commande d'accès au réseau sur la base d'un contrôleur, et procédé associé
WO2023163514A1 (fr) Système de commande d'accès au réseau basé sur un dispositif de commande et procédé associé
WO2024177382A1 (fr) Système de commande d'accès au réseau et procédé associé
WO2023085793A1 (fr) Système de commande d'accès au réseau sur la base d'un dispositif de commande, et procédé associé
WO2024177386A1 (fr) Système de commande d'accès au réseau et procédé associé
WO2018008800A1 (fr) Système d'authentification de certificat accrédité basé sur une chaîne de blocs, et procédé d'authentification de certificat accrédité basé sur une chaîne de blocs, utilisant ce système
WO2024177384A1 (fr) Système de contrôle d'accès au réseau, et procédé associé
WO2023211124A1 (fr) Système de commande de connexion de réseau basée sur un contrôleur et procédé associé
WO2020189926A1 (fr) Procédé et serveur permettant de gérer une identité d'utilisateur en utilisant un réseau à chaîne de blocs, et procédé et terminal d'authentification d'utilisateur utilisant l'identité d'utilisateur basée sur un réseau à chaîne de blocs
WO2020050424A1 (fr) SYSTÈME ET PROCÉDÉ BASÉS SUR UNE CHAÎNE DE BLOCS POUR UNE AUTHENTIFICATION DE SÉCURITÉ MULTIPLE ENTRE UN TERMINAL MOBILE ET UN DISPOSITIF D'IdO
WO2023177238A1 (fr) Système de commande de connexion au réseau basé sur un contrôleur, et son procédé
WO2023085791A1 (fr) Système de contrôle de l'accès au réseau basé sur un contrôleur et procédé associé
WO2023211104A1 (fr) Système permettant de contrôler un accès au réseau basé sur un dispositif de commande, et procédé associé
WO2023211122A1 (fr) Système de commande de transmission et de réception de fichier d'une application sur la base d'un mandataire et procédé associé
WO2023090755A1 (fr) Système de contrôle d'accès au réseau d'instance de virtualisation, et procédé associé
WO2023163506A1 (fr) Système de commande de transmission et de réception de fichier d'application, et procédé associé
WO2020189927A1 (fr) Procédé et serveur de gestion de l'identité d'un utilisateur à l'aide d'un réseau de chaîne de blocs, et procédé et terminal d'authentification d'utilisateur à l'aide d'une identité d'utilisateur sur la base d'un réseau de chaîne de blocs
WO2023033588A1 (fr) Système de commande de flux de données dans un terminal de virtualisation, et procédé associé
WO2023136658A1 (fr) Système et procédé reposant sur un dispositif de commande de commande d'accès réseau
WO2023146304A1 (fr) Système de commande de transmission et de réception d'un fichier d'une application et procédé associé

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 24760571

Country of ref document: EP

Kind code of ref document: A1